HashCloak Newsletter March 2023
What the HashCloak team has been reading and up to in March 2023
Welcome to the March edition of the HashCloak Newsletter! In this month's edition, we'll be sharing our latest insights on privacy and highlighting some of our recent projects and collaborations. We'll also be sharing interesting reads and research that we think will be valuable to our readers. Thank you for joining us on this journey and for your continued support of our work!
Stuff We’ve been reading
A new series of videos on zero-knowledge proof composition and recursion (part 1)
Systematic Approach to Maintaining EVM Compatibility and Security
Stuff We’ve been playing with
Github Links
Stuff We’ve been watching
Interesting HashCloak Research Project of the Month
As part of our working engagement with Fuel Labs, we have been working on implementing various cryptographic primitives in the Sway programming language. We have been implementing NIST standardized cryptographic hash functions, elliptic curves and signature schemes.
You can check out our work in the following repositories:
Special Purpose Cryptography Protocol of the Month
As part of our consulting practice, we notice that many clients try to shoehorn general-purpose cryptography techniques such as ZK-SNARKs into problems for which there are well-studied, understood and implemented special purpose protocols. In this section, every month, we hope to give you a taste of a useful special purpose protocol in order to better educate you on good composable cryptographic design principles.This month, we will provide a short summary of the Signal private group system and anonymous credential protocol used within the Signal Messaging app.
Signal is a messaging application with millions of users that makes use of end to end encryption in order to enable users to privately communicate with each other. A feature that Signal originally lacked is the ability for its users to create group chats in which members can communicate with each other privately. However, this brings with it a few difficult tradeoffs to make. Many constructions in the literature for creating private groups in which an outside observer cannot discern who the members are rely on a trusted third party. In many of these constructions, the trusted third party handles everything regarding group membership, credentials, etc. In the past decade, many works have come out to improve these constructions by limiting the power of the trusted third party.
In Signal’s private group messaging system, the server is untrusted and a malicious server can only disrupt service. As such, the protocol doesn’t rely on an honest server to issue credentials, or manage the membership list.
In order to achieve these properties, Signal’s private group system relies on verifiable encryption, zero-knowledge proofs and keyed verification anonymous credentials (KVAC). The use of verifiable encryption allows users to deterministically encrypt/decrypt without relying on the server. The use of zero-knowledge proofs allows users to independently check the validity of IDs and profile keys and to authenticate to the server without revealing sensitive information about their own profiles. KVACs are used to create profile keys and identities such that
The issuer and the verifier of a credential is the same entity
Message authentication codes (MACs) can be used instead of signatures
A credential owner can show that they have the credential to multiple parties without linking instances of these showings i.e. the KVAC scheme used has multishow unlinkability
If you want to learn more about the protocol and its implementation, you can visit the following resources:
https://github.com/signalapp/libsignal/tree/main/rust/zkgroup
https://github.com/signalapp/libsignal/tree/main/rust/poksho
We hope you enjoyed reading the March edition of the HashCloak Newsletter and gained valuable insights into our latest research and projects. Our team is always striving to stay at the forefront of privacy innovation. We're excited to share our latest progress with you and look forward to continuing this important work together.
Subscribe to our newsletter to stay up-to-date with our latest insights and research.
Follow us on Twitter to find out about any announcements we make on our engagements or internal projects.
Schedule a call with us to engage in R&D, security auditing or any other potential collaborations: https://calendly.com/d/hhc-dnq-wfd/hashcloak-services-inquiries.